1. 30 Jul, 2024 9 commits
    • D. Wythe's avatar
      net/smc: prevent UAF in inet_create() · 2fe5273f
      D. Wythe authored
      Following syzbot repro crashes the kernel:
      
      socketpair(0x2, 0x1, 0x100, &(0x7f0000000140)) (fail_nth: 13)
      
      Fix this by not calling sk_common_release() from smc_create_clcsk().
      
      Stack trace:
      socket: no more sockets
      ------------[ cut here ]------------
      refcount_t: underflow; use-after-free.
       WARNING: CPU: 1 PID: 5092 at lib/refcount.c:28
      refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28
      Modules linked in:
      CPU: 1 PID: 5092 Comm: syz-executor424 Not tainted
      6.10.0-syzkaller-04483-g0be9ae54 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 06/27/2024
       RIP: 0010:refcount_warn_saturate+0x15a/0x1d0 lib/refcount.c:28
      Code: 80 f3 1f 8c e8 e7 69 a8 fc 90 0f 0b 90 90 eb 99 e8 cb 4f e6 fc c6
      05 8a 8d e8 0a 01 90 48 c7 c7 e0 f3 1f 8c e8 c7 69 a8 fc 90 <0f> 0b 90
      90 e9 76 ff ff ff e8 a8 4f e6 fc c6 05 64 8d e8 0a 01 90
      RSP: 0018:ffffc900034cfcf0 EFLAGS: 00010246
      RAX: 3b9fcde1c862f700 RBX: ffff888022918b80 RCX: ffff88807b39bc00
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
      RBP: 0000000000000003 R08: ffffffff815878a2 R09: fffffbfff1c39d94
      R10: dffffc0000000000 R11: fffffbfff1c39d94 R12: 00000000ffffffe9
      R13: 1ffff11004523165 R14: ffff888022918b28 R15: ffff888022918b00
      FS:  00005555870e7380(0000) GS:ffff8880b9500000(0000)
      knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000020000140 CR3: 000000007582e000 CR4: 00000000003506f0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
      Call Trace:
       <TASK>
       inet_create+0xbaf/0xe70
        __sock_create+0x490/0x920 net/socket.c:1571
        sock_create net/socket.c:1622 [inline]
        __sys_socketpair+0x2ca/0x720 net/socket.c:1769
        __do_sys_socketpair net/socket.c:1822 [inline]
        __se_sys_socketpair net/socket.c:1819 [inline]
        __x64_sys_socketpair+0x9b/0xb0 net/socket.c:1819
        do_syscall_x64 arch/x86/entry/common.c:52 [inline]
        do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x77/0x7f
      RIP: 0033:0x7fbcb9259669
      Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 a1 1a 00 00 90 48 89 f8 48 89
      f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
      f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
      RSP: 002b:00007fffe931c6d8 EFLAGS: 00000246 ORIG_RAX: 0000000000000035
      RAX: ffffffffffffffda RBX: 00007fffe931c6f0 RCX: 00007fbcb9259669
      RDX: 0000000000000100 RSI: 0000000000000001 RDI: 0000000000000002
      RBP: 0000000000000002 R08: 00007fffe931c476 R09: 00000000000000a0
      R10: 0000000020000140 R11: 0000000000000246 R12: 00007fffe931c6ec
      R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
       </TASK>
      
      Link: https://lore.kernel.org/r/20240723175809.537291-1-edumazet@google.com/
      Fixes: d25a92cc ("net/smc: Introduce IPPROTO_SMC")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarD. Wythe <alibuda@linux.alibaba.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Reviewed-by: default avatarWenjia Zhang <wenjia@linux.ibm.com>
      Link: https://patch.msgid.link/1722224415-30999-1-git-send-email-alibuda@linux.alibaba.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      2fe5273f
    • Paolo Abeni's avatar
      Merge branch 'mptcp-fix-inconsistent-backup-usage' · 0cd55ef9
      Paolo Abeni authored
      Matthieu Baerts says:
      
      ====================
      mptcp: fix inconsistent backup usage
      
      In all the MPTCP backup related tests, the backup flag was set on one
      side, and the expected behaviour is to have both sides respecting this
      decision. That's also the "natural" way, and what the users seem to
      expect.
      
      On the scheduler side, only the 'backup' field was checked, which is
      supposed to be set only if the other peer flagged a subflow as backup.
      But in various places, this flag was also set when the local host
      flagged the subflow as backup, certainly to have the expected behaviour
      mentioned above.
      
      Patch 1 modifies the packet scheduler to check if the backup flag has
      been set on both directions, not to change its behaviour after having
      applied the following patches. That's what the default packet scheduler
      should have done since the beginning in v5.7.
      
      Patch 2 fixes the backup flag being mirrored on the MPJ+SYN+ACK by
      accident since its introduction in v5.7. Instead, the received and sent
      backup flags are properly distinguished in requests.
      
      Patch 3 stops setting the received backup flag as well when sending an
      MP_PRIO, something that was done since the MP_PRIO support in v5.12.
      
      Patch 4 adds related and missing MIB counters to be able to easily check
      if MP_JOIN are sent with a backup flag. Certainly because these counters
      were not there, the behaviour that is fixed by patches here was not
      properly verified.
      
      Patch 5 validates the previous patch by extending the MPTCP Join
      selftest.
      
      Patch 6 fixes the backup support in signal endpoints: if a signal
      endpoint had the backup flag, it was not set in the MPJ+SYN+ACK as
      expected. It was only set for ongoing connections, but not future ones
      as expected, since the introduction of the backup flag in endpoints in
      v5.10.
      
      Patch 7 validates the previous patch by extending the MPTCP Join
      selftest as well.
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      ---
      Matthieu Baerts (NGI0) (7):
            mptcp: sched: check both directions for backup
            mptcp: distinguish rcv vs sent backup flag in requests
            mptcp: pm: only set request_bkup flag when sending MP_PRIO
            mptcp: mib: count MPJ with backup flag
            selftests: mptcp: join: validate backup in MPJ
            mptcp: pm: fix backup support in signal endpoints
            selftests: mptcp: join: check backup support in signal endp
      
       include/trace/events/mptcp.h                    |  2 +-
       net/mptcp/mib.c                                 |  2 +
       net/mptcp/mib.h                                 |  2 +
       net/mptcp/options.c                             |  2 +-
       net/mptcp/pm.c                                  | 12 +++++
       net/mptcp/pm_netlink.c                          | 19 ++++++-
       net/mptcp/pm_userspace.c                        | 18 +++++++
       net/mptcp/protocol.c                            | 10 ++--
       net/mptcp/protocol.h                            |  4 ++
       net/mptcp/subflow.c                             | 10 ++++
       tools/testing/selftests/net/mptcp/mptcp_join.sh | 72 ++++++++++++++++++++-----
       11 files changed, 132 insertions(+), 21 deletions(-)
      ====================
      
      Link: https://patch.msgid.link/20240727-upstream-net-20240727-mptcp-backup-signal-v1-0-f50b31604cf1@kernel.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      0cd55ef9
    • Matthieu Baerts (NGI0)'s avatar
      selftests: mptcp: join: check backup support in signal endp · f833470c
      Matthieu Baerts (NGI0) authored
      Before the previous commit, 'signal' endpoints with the 'backup' flag
      were ignored when sending the MP_JOIN.
      
      The MPTCP Join selftest has then been modified to validate this case:
      the "single address, backup" test, is now validating the MP_JOIN with a
      backup flag as it is what we expect it to do with such name. The
      previous version has been kept, but renamed to "single address, switch
      to backup" to avoid confusions.
      
      The "single address with port, backup" test is also now validating the
      MPJ with a backup flag, which makes more sense than checking the switch
      to backup with an MP_PRIO.
      
      The "mpc backup both sides" test is now validating that the backup flag
      is also set in MP_JOIN from and to the addresses used in the initial
      subflow, using the special ID 0.
      
      The 'Fixes' tag here below is the same as the one from the previous
      commit: this patch here is not fixing anything wrong in the selftests,
      but it validates the previous fix for an issue introduced by this commit
      ID.
      
      Fixes: 4596a2c1 ("mptcp: allow creating non-backup subflows")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      f833470c
    • Matthieu Baerts (NGI0)'s avatar
      mptcp: pm: fix backup support in signal endpoints · 6834097f
      Matthieu Baerts (NGI0) authored
      There was a support for signal endpoints, but only when the endpoint's
      flag was changed during a connection. If an endpoint with the signal and
      backup was already present, the MP_JOIN reply was not containing the
      backup flag as expected.
      
      That's confusing to have this inconsistent behaviour. On the other hand,
      the infrastructure to set the backup flag in the SYN + ACK + MP_JOIN was
      already there, it was just never set before. Now when requesting the
      local ID from the path-manager, the backup status is also requested.
      
      Note that when the userspace PM is used, the backup flag can be set if
      the local address was already used before with a backup flag, e.g. if
      the address was announced with the 'backup' flag, or a subflow was
      created with the 'backup' flag.
      
      Fixes: 4596a2c1 ("mptcp: allow creating non-backup subflows")
      Cc: stable@vger.kernel.org
      Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/507Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      6834097f
    • Matthieu Baerts (NGI0)'s avatar
      selftests: mptcp: join: validate backup in MPJ · 935ff5bb
      Matthieu Baerts (NGI0) authored
      A peer can notify the other one that a subflow has to be treated as
      "backup" by two different ways: either by sending a dedicated MP_PRIO
      notification, or by setting the backup flag in the MP_JOIN handshake.
      
      The selftests were previously monitoring the former, but not the latter.
      This is what is now done here by looking at these new MIB counters when
      validating the 'backup' cases:
      
        MPTcpExtMPJoinSynBackupRx
        MPTcpExtMPJoinSynAckBackupRx
      
      The 'Fixes' tag here below is the same as the one from the previous
      commit: this patch here is not fixing anything wrong in the selftests,
      but it will help to validate a new fix for an issue introduced by this
      commit ID.
      
      Fixes: 4596a2c1 ("mptcp: allow creating non-backup subflows")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      935ff5bb
    • Matthieu Baerts (NGI0)'s avatar
      mptcp: mib: count MPJ with backup flag · 4dde0d72
      Matthieu Baerts (NGI0) authored
      Without such counters, it is difficult to easily debug issues with MPJ
      not having the backup flags on production servers.
      
      This is not strictly a fix, but it eases to validate the following
      patches without requiring to take packet traces, to query ongoing
      connections with Netlink with admin permissions, or to guess by looking
      at the behaviour of the packet scheduler. Also, the modification is self
      contained, isolated, well controlled, and the increments are done just
      after others, there from the beginning. It looks then safe, and helpful
      to backport this.
      
      Fixes: 4596a2c1 ("mptcp: allow creating non-backup subflows")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      4dde0d72
    • Matthieu Baerts (NGI0)'s avatar
      mptcp: pm: only set request_bkup flag when sending MP_PRIO · 4258b948
      Matthieu Baerts (NGI0) authored
      The 'backup' flag from mptcp_subflow_context structure is supposed to be
      set only when the other peer flagged a subflow as backup, not the
      opposite.
      
      Fixes: 06706542 ("mptcp: add the outgoing MP_PRIO support")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      4258b948
    • Matthieu Baerts (NGI0)'s avatar
      mptcp: distinguish rcv vs sent backup flag in requests · efd340bf
      Matthieu Baerts (NGI0) authored
      When sending an MP_JOIN + SYN + ACK, it is possible to mark the subflow
      as 'backup' by setting the flag with the same name. Before this patch,
      the backup was set if the other peer set it in its MP_JOIN + SYN
      request.
      
      It is not correct: the backup flag should be set in the MPJ+SYN+ACK only
      if the host asks for it, and not mirroring what was done by the other
      peer. It is then required to have a dedicated bit for each direction,
      similar to what is done in the subflow context.
      
      Fixes: f296234c ("mptcp: Add handling of incoming MP_JOIN requests")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      efd340bf
    • Matthieu Baerts (NGI0)'s avatar
      mptcp: sched: check both directions for backup · b6a66e52
      Matthieu Baerts (NGI0) authored
      The 'mptcp_subflow_context' structure has two items related to the
      backup flags:
      
       - 'backup': the subflow has been marked as backup by the other peer
      
       - 'request_bkup': the backup flag has been set by the host
      
      Before this patch, the scheduler was only looking at the 'backup' flag.
      That can make sense in some cases, but it looks like that's not what we
      wanted for the general use, because either the path-manager was setting
      both of them when sending an MP_PRIO, or the receiver was duplicating
      the 'backup' flag in the subflow request.
      
      Note that the use of these two flags in the path-manager are going to be
      fixed in the next commits, but this change here is needed not to modify
      the behaviour.
      
      Fixes: f296234c ("mptcp: Add handling of incoming MP_JOIN requests")
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMat Martineau <martineau@kernel.org>
      Signed-off-by: default avatarMatthieu Baerts (NGI0) <matttbe@kernel.org>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      b6a66e52
  2. 29 Jul, 2024 16 commits
  3. 27 Jul, 2024 3 commits
  4. 26 Jul, 2024 12 commits
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_event: Fix setting DISCOVERY_FINDING for passive scanning · df3d6a3e
      Luiz Augusto von Dentz authored
      DISCOVERY_FINDING shall only be set for active scanning as passive
      scanning is not meant to generate MGMT Device Found events causing
      discovering state to go out of sync since userspace would believe it
      is discovering when in fact it is just passive scanning.
      
      Cc: stable@vger.kernel.org
      Link: https://bugzilla.kernel.org/show_bug.cgi?id=219088
      Fixes: 2e2515c1 ("Bluetooth: hci_event: Set DISCOVERY_FINDING on SCAN_ENABLED")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      df3d6a3e
    • Arnd Bergmann's avatar
      Bluetooth: btmtk: remove #ifdef around declarations · 7a8c6fb2
      Arnd Bergmann authored
      The caller of these functions in btusb.c is guarded with an
      if(IS_ENABLED()) style check, so dead code is left out, but the
      declarations are still needed at compile time:
      
      drivers/bluetooth/btusb.c: In function 'btusb_mtk_reset':
      drivers/bluetooth/btusb.c:2705:15: error: implicit declaration of function 'btmtk_usb_subsys_reset' [-Wimplicit-function-declaration]
       2705 |         err = btmtk_usb_subsys_reset(hdev, btmtk_data->dev_id);
            |               ^~~~~~~~~~~~~~~~~~~~~~
      drivers/bluetooth/btusb.c: In function 'btusb_send_frame_mtk':
      drivers/bluetooth/btusb.c:2720:23: error: implicit declaration of function 'alloc_mtk_intr_urb' [-Wimplicit-function-declaration]
       2720 |                 urb = alloc_mtk_intr_urb(hdev, skb, btusb_tx_complete);
            |                       ^~~~~~~~~~~~~~~~~~
      drivers/bluetooth/btusb.c:2720:21: error: assignment to 'struct urb *' from 'int' makes pointer from integer without a cast [-Wint-conversion]
       2720 |                 urb = alloc_mtk_intr_urb(hdev, skb, btusb_tx_complete);
            |                     ^
      
      Fixes: f0c83a23 ("Bluetooth: btmtk: Fix btmtk.c undefined reference build error")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarAngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      7a8c6fb2
    • Arnd Bergmann's avatar
      Bluetooth: btmtk: Fix btmtk.c undefined reference build error harder · 61f7a8f9
      Arnd Bergmann authored
      The previous fix was incomplete as the link failure still persists
      with CONFIG_USB=m when the sdio or serial wrappers for btmtk.c
      are build-in:
      
      btmtk.c:(.text+0x468): undefined reference to `usb_alloc_urb'
      btmtk.c:(.text+0x488): undefined reference to `usb_free_urb'
      btmtk.c:(.text+0x500): undefined reference to `usb_anchor_urb'
      btmtk.c:(.text+0x50a): undefined reference to `usb_submit_urb'
      btmtk.c:(.text+0x92c): undefined reference to `usb_control_msg'
      btmtk.c:(.text+0xa92): undefined reference to `usb_unanchor_urb'
      btmtk.c:(.text+0x11e4): undefined reference to `usb_set_interface'
      btmtk.c:(.text+0x120a): undefined reference to `usb_kill_anchored_urbs'
      
      Disallow this configuration.
      
      Fixes: f0c83a23 ("Bluetooth: btmtk: Fix btmtk.c undefined reference build error")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      61f7a8f9
    • Chris Lu's avatar
      Bluetooth: btmtk: Fix btmtk.c undefined reference build error · f0c83a23
      Chris Lu authored
      MediaTek moved some usb interface related function to btmtk.c which
      may cause build failed if BT USB Kconfig wasn't enabled.
      Fix undefined reference by adding config check.
      
      btmtk.c:(.text+0x89c): undefined reference to `usb_alloc_urb'
      btmtk.c:(.text+0x8e3): undefined reference to `usb_free_urb'
      btmtk.c:(.text+0x956): undefined reference to `usb_free_urb'
      btmtk.c:(.text+0xa0e): undefined reference to `usb_anchor_urb'
      btmtk.c:(.text+0xb43): undefined reference to `usb_autopm_get_interface'
      btmtk.c:(.text+0xb7e): undefined reference to `usb_autopm_put_interface'
      btmtk.c:(.text+0xf70): undefined reference to `usb_disable_autosuspend'
      btmtk.c:(.text+0x133a): undefined reference to `usb_control_msg'
      
      Fixes: d019930b ("Bluetooth: btmtk: move btusb_mtk_hci_wmt_sync to btmtk.c")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Closes: https://lore.kernel.org/oe-kbuild-all/202407091928.AH0aGZnx-lkp@intel.com/Signed-off-by: default avatarChris Lu <chris.lu@mediatek.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      f0c83a23
    • Luiz Augusto von Dentz's avatar
      Bluetooth: hci_sync: Fix suspending with wrong filter policy · 96b82af3
      Luiz Augusto von Dentz authored
      When suspending the scan filter policy cannot be 0x00 (no acceptlist)
      since that means the host has to process every advertisement report
      waking up the system, so this attempts to check if hdev is marked as
      suspended and if the resulting filter policy would be 0x00 (no
      acceptlist) then skip passive scanning if thre no devices in the
      acceptlist otherwise reset the filter policy to 0x01 so the acceptlist
      is used since the devices programmed there can still wakeup be system.
      
      Fixes: 182ee45d ("Bluetooth: hci_sync: Rework hci_suspend_notifier")
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      96b82af3
    • Chris Lu's avatar
      Bluetooth: btmtk: Fix kernel crash when entering btmtk_usb_suspend · d09009bc
      Chris Lu authored
      If MediaTek's Bluetooth setup is unsuccessful, a NULL pointer issue
      occur when the system is suspended and the anchored kill function
      is called. To avoid this, add protection to prevent executing the
      anchored kill function if the setup is unsuccessful.
      
      [    6.922106] Hardware name: Acer Tomato (rev2) board (DT)
      [    6.922114] Workqueue: pm pm_runtime_work
      [    6.922132] pstate: 804000c9
      (Nzcv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      [    6.922147] pc : usb_kill_anchored_urbs+0x6c/0x1e0
      [    6.922164] lr : usb_kill_anchored_urbs+0x48/0x1e0
      [    6.922181] sp : ffff800080903b60
      [    6.922187] x29: ffff800080903b60
      x28: ffff2c7b85c32b80 x27: ffff2c7bbb370930
      [    6.922211] x26: 00000000000f4240
      x25: 00000000ffffffff x24: ffffd49ece2dcb48
      [    6.922255] x20: ffffffffffffffd8
      x19: 0000000000000000 x18: 0000000000000006
      [    6.922276] x17: 6531656337386238
      x16: 3632373862333863 x15: ffff800080903480
      [    6.922297] x14: 0000000000000000
      x13: 303278302f303178 x12: ffffd49ecf090e30
      [    6.922318] x11: 0000000000000001
      x10: 0000000000000001 x9 : ffffd49ecd2c5bb4
      [    6.922339] x8 : c0000000ffffdfff
      x7 : ffffd49ecefe0db8 x6 : 00000000000affa8
      [    6.922360] x5 : ffff2c7bbb35dd48
      x4 : 0000000000000000 x3 : 0000000000000000
      [    6.922379] x2 : 0000000000000000
      x1 : 0000000000000003 x0 : ffffffffffffffd8
      [    6.922400] Call trace:
      [    6.922405]  usb_kill_anchored_urbs+0x6c/0x1e0
      [    6.922422]  btmtk_usb_suspend+0x20/0x38
      [btmtk 5f200a97badbdfda4266773fee49acfc8e0224d5]
      [    6.922444]  btusb_suspend+0xd0/0x210
      [btusb 0bfbf19a87ff406c83b87268b87ce1e80e9a829b]
      [    6.922469]  usb_suspend_both+0x90/0x288
      [    6.922487]  usb_runtime_suspend+0x3c/0xa8
      [    6.922507]  __rpm_callback+0x50/0x1f0
      [    6.922523]  rpm_callback+0x70/0x88
      [    6.922538]  rpm_suspend+0xe4/0x5a0
      [    6.922553]  pm_runtime_work+0xd4/0xe0
      [    6.922569]  process_one_work+0x18c/0x440
      [    6.922588]  worker_thread+0x314/0x428
      [    6.922606]  kthread+0x128/0x138
      [    6.922621]  ret_from_fork+0x10/0x20
      [    6.922644] Code: f100a274 54000520 d503201f d100a260 (b8370000)
      [    6.922654] ---[ end trace 0000000000000000 ]---
      
      Fixes: ceac1cb0 ("Bluetooth: btusb: mediatek: add ISO data transmission functions")
      Signed-off-by: default avatarChris Lu <chris.lu@mediatek.com>
      Reported-by: Nícolas F. R. A. Prado <nfraprado@collabora.com> #KernelCI
      Tested-by: default avatarNícolas F. R. A. Prado <nfraprado@collabora.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      d09009bc
    • Kiran K's avatar
      Bluetooth: btintel: Fail setup on error · e22a3a9d
      Kiran K authored
      Do not attempt to send any hci command to controller if *setup* function
      fails.
      
      Fixes: af395330 ("Bluetooth: btintel: Add Intel devcoredump support")
      Signed-off-by: default avatarKiran K <kiran.k@intel.com>
      Signed-off-by: default avatarLuiz Augusto von Dentz <luiz.von.dentz@intel.com>
      e22a3a9d
    • Mark Mentovai's avatar
      net: phy: realtek: add support for RTL8366S Gigabit PHY · 225990c4
      Mark Mentovai authored
      The PHY built in to the Realtek RTL8366S switch controller was
      previously supported by genphy_driver. This PHY does not implement MMD
      operations. Since commit 9b01c885 ("net: phy: c22: migrate to
      genphy_c45_write_eee_adv()"), MMD register reads have been made during
      phy_probe to determine EEE support. For genphy_driver, these reads are
      transformed into 802.3 annex 22D clause 45-over-clause 22
      mmd_phy_indirect operations that perform MII register writes to
      MII_MMD_CTRL and MII_MMD_DATA. This overwrites those two MII registers,
      which on this PHY are reserved and have another function, rendering the
      PHY unusable while so configured.
      
      Proper support for this PHY is restored by providing a phy_driver that
      declares MMD operations as unsupported by using the helper functions
      provided for that purpose, while remaining otherwise identical to
      genphy_driver.
      
      Fixes: 9b01c885 ("net: phy: c22: migrate to genphy_c45_write_eee_adv()")
      Reported-by: default avatarRussell Senior <russell@personaltelco.net>
      Closes: https://github.com/openwrt/openwrt/issues/15981
      Link: https://github.com/openwrt/openwrt/issues/15739Signed-off-by: default avatarMark Mentovai <mark@mentovai.com>
      Reviewed-by: default avatarMaxime Chevallier <maxime.chevallier@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      225990c4
    • Johan Hovold's avatar
      wifi: ath12k: fix soft lockup on suspend · a47f3320
      Johan Hovold authored
      The ext interrupts are enabled when the firmware has been started, but
      this may never happen, for example, if the board configuration file is
      missing.
      
      When the system is later suspended, the driver unconditionally tries to
      disable interrupts, which results in an irq disable imbalance and causes
      the driver to spin indefinitely in napi_synchronize().
      
      Make sure that the interrupts have been enabled before attempting to
      disable them.
      
      Fixes: d8899132 ("wifi: ath12k: driver for Qualcomm Wi-Fi 7 devices")
      Cc: stable@vger.kernel.org	# 6.3
      Signed-off-by: default avatarJohan Hovold <johan+linaro@kernel.org>
      Acked-by: default avatarJeff Johnson <quic_jjohnson@quicinc.com>
      Link: https://patch.msgid.link/20240709073132.9168-1-johan+linaro@kernel.orgSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      a47f3320
    • Sean Wang's avatar
      wifi: mt76: mt7921: fix null pointer access in mt792x_mac_link_bss_remove · 6557a28f
      Sean Wang authored
      Fix null pointer access in mt792x_mac_link_bss_remove.
      
      To prevent null pointer access, we should assign the vif to bss_conf in
      mt7921_add_interface. This ensures that subsequent operations on the BSS
      can properly reference the correct vif.
      
      [  T843] Call Trace:
      [  T843]  <TASK>
      [  T843]  ? __die+0x1e/0x60
      [  T843]  ? page_fault_oops+0x157/0x450
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? search_bpf_extables+0x5a/0x80
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? exc_page_fault+0x2bb/0x670
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? lock_timer_base+0x71/0x90
      [  T843]  ? asm_exc_page_fault+0x26/0x30
      [  T843]  ? mt792x_mac_link_bss_remove+0x24/0x110 [mt792x_lib]
      [  T843]  ? mt792x_remove_interface+0x6e/0x90 [mt792x_lib]
      [  T843]  ? ieee80211_do_stop+0x507/0x7e0 [mac80211]
      [  T843]  ? ieee80211_stop+0x53/0x190 [mac80211]
      [  T843]  ? __dev_close_many+0xa5/0x120
      [  T843]  ? __dev_change_flags+0x18c/0x220
      [  T843]  ? dev_change_flags+0x21/0x60
      [  T843]  ? do_setlink+0xdf9/0x11d0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? security_sock_rcv_skb+0x33/0x50
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? __nla_validate_parse+0x61/0xd10
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? genl_done+0x53/0x80
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? netlink_dump+0x357/0x410
      [  T843]  ? __rtnl_newlink+0x5d6/0x980
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? genl_family_rcv_msg_dumpit+0xdf/0xf0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? __kmalloc_cache_noprof+0x44/0x210
      [  T843]  ? rtnl_newlink+0x42/0x60
      [  T843]  ? rtnetlink_rcv_msg+0x152/0x3f0
      [  T843]  ? mptcp_pm_nl_dump_addr+0x180/0x180
      [  T843]  ? rtnl_calcit.isra.0+0x130/0x130
      [  T843]  ? netlink_rcv_skb+0x56/0x100
      [  T843]  ? netlink_unicast+0x199/0x290
      [  T843]  ? netlink_sendmsg+0x21d/0x490
      [  T843]  ? __sock_sendmsg+0x78/0x80
      [  T843]  ? ____sys_sendmsg+0x23f/0x2e0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? copy_msghdr_from_user+0x68/0xa0
      [  T843]  ? ___sys_sendmsg+0x81/0xd0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? crng_fast_key_erasure+0xbc/0xf0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? get_random_bytes_user+0x126/0x140
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? __fdget+0xb1/0xe0
      [  T843]  ? __sys_sendmsg+0x56/0xa0
      [  T843]  ? srso_alias_return_thunk+0x5/0xfbef5
      [  T843]  ? do_syscall_64+0x5f/0x170
      [  T843]  ? entry_SYSCALL_64_after_hwframe+0x55/0x5d
      [  T843]  </TASK>
      
      Fixes: 1541d63c ("wifi: mt76: mt7925: add mt7925_mac_link_bss_remove to remove per-link BSS")
      Reported-by: default avatarBert Karwatzki <spasswolf@web.de>
      Closes: https://lore.kernel.org/linux-wireless/2fee61f8c903d02a900ca3188c3742c7effd102e.camel@web.de/#bSigned-off-by: default avatarSean Wang <sean.wang@mediatek.com>
      Tested-by: default avatarBert Karwatzki <spasswolf@web.de>
      Link: https://patch.msgid.link/20240718234633.12737-1-sean.wang@kernel.orgSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      6557a28f
    • Baochen Qiang's avatar
      wifi: ath12k: fix reusing outside iterator in ath12k_wow_vif_set_wakeups() · 189d7aae
      Baochen Qiang authored
      Smatch throws below warning:
      
      	drivers/net/wireless/ath/ath12k/wow.c:434 ath12k_wow_vif_set_wakeups()
      	warn: reusing outside iterator: 'i'
      
      	drivers/net/wireless/ath/ath12k/wow.c
      	    411         default:
      	    412                 break;
      	    413         }
      	    414
      	    415         for (i = 0; i < wowlan->n_patterns; i++) {
      	                            ^^^^^^^^^^^^^^^^^^^^^^
      	Here we loop until ->n_patterns
      
      	    416                 const struct cfg80211_pkt_pattern *eth_pattern = &patterns[i];
      	    417                 struct ath12k_pkt_pattern new_pattern = {};
      	    418
      	    419                 if (WARN_ON(eth_pattern->pattern_len > WOW_MAX_PATTERN_SIZE))
      	    420                         return -EINVAL;
      	    421
      	    422                 if (ar->ab->wow.wmi_conf_rx_decap_mode ==
      	    423                     ATH12K_HW_TXRX_NATIVE_WIFI) {
      	    424                         ath12k_wow_convert_8023_to_80211(ar, eth_pattern,
      	    425                                                          &new_pattern);
      	    426
      	    427                         if (WARN_ON(new_pattern.pattern_len > WOW_MAX_PATTERN_SIZE))
      	    428                                 return -EINVAL;
      	    429                 } else {
      	    430                         memcpy(new_pattern.pattern, eth_pattern->pattern,
      	    431                                eth_pattern->pattern_len);
      	    432
      	    433                         /* convert bitmask to bytemask */
      	--> 434                         for (i = 0; i < eth_pattern->pattern_len; i++)
      	    435                                 if (eth_pattern->mask[i / 8] & BIT(i % 8))
      	    436                                         new_pattern.bytemask[i] = 0xff;
      
      	This loop re-uses i and the loop ends with i == eth_pattern->pattern_len.
      	This looks like a bug.
      
      Change to use a new iterator 'j' for the inner loop to fix it.
      
      Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.1.0-03427-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1.15378.4
      
      Fixes: 4a3c212e ("wifi: ath12k: add basic WoW functionalities")
      Reported-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Closes: https://lore.kernel.org/all/d4975b95-9c43-45af-a0ab-80253f18c7f2@stanley.mountain/Signed-off-by: default avatarBaochen Qiang <quic_bqiang@quicinc.com>
      Acked-by: default avatarJeff Johnson <quic_jjohnson@quicinc.com>
      Link: https://patch.msgid.link/20240722033332.6273-1-quic_bqiang@quicinc.comSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      189d7aae
    • Johannes Berg's avatar
      wifi: cfg80211: correct S1G beacon length calculation · 6873cc44
      Johannes Berg authored
      The minimum header length calculation (equivalent to the start
      of the elements) for the S1G long beacon erroneously required
      only up to the start of u.s1g_beacon rather than the start of
      u.s1g_beacon.variable. Fix that, and also shuffle the branches
      around a bit to not assign useless values that are overwritten
      later.
      
      Reported-by: syzbot+0f3afa93b91202f21939@syzkaller.appspotmail.com
      Fixes: 9eaffe50 ("cfg80211: convert S1G beacon to scan results")
      Link: https://patch.msgid.link/20240724132912.9662972db7c1.I8779675b5bbda4994cc66f876b6b87a2361c3c0b@changeidSigned-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      6873cc44